feat: Add playbooks to manage supabase

playbooks/sync_gitea_secrets.yml

@@ -1,64 +1,51 @@
 ---
 - name: Sync Supabase secrets to Gitea repo variables
-  hosts: localhost
+  hosts: supabase
   connection: local
   gather_facts: false
 
   tasks:
-    - name: Read Supabase dev secrets from Vault
+    - name: Construct env file content
       ansible.builtin.set_fact:
-        _supabase_dev: "{{ lookup('community.hashi_vault.hashi_vault',
-          'secret=oys/dev/supabase url=' + vault_addr + ' engine_mount_point=kv') }}"
-      no_log: true
+        _env_file: |
+          SUPABASE_URL={{ supabase.url }}
+          SUPABASE_ANON_KEY={{ supabase.anon_key }}
+      no_log: false
 
-    - name: Read Supabase prod secrets from Vault
-      ansible.builtin.set_fact:
-        _supabase_prod: "{{ lookup('community.hashi_vault.hashi_vault',
-          'secret=oys/prod/supabase url=' + vault_addr + ' engine_mount_point=kv') }}"
-      no_log: true
-
-    - name: Read Gitea API token from Vault
-      ansible.builtin.set_fact:
-        _gitea_token: "{{ lookup('community.hashi_vault.hashi_vault',
-          'secret=oys/shared/infra/gitea_token url=' + vault_addr + ' engine_mount_point=kv') }}"
-      no_log: true
-
-    - name: Construct ENV_FILE_DEV content
-      ansible.builtin.set_fact:
-        _env_file_dev: |
-          SUPABASE_URL={{ _supabase_dev.url }}
-          SUPABASE_ANON_KEY={{ _supabase_dev.anon_key }}
-      no_log: true
-
-    - name: Construct ENV_FILE_PROD content
-      ansible.builtin.set_fact:
-        _env_file_prod: |
-          SUPABASE_URL={{ _supabase_prod.url }}
-          SUPABASE_ANON_KEY={{ _supabase_prod.anon_key }}
-      no_log: true
-
-    - name: Update ENV_FILE_DEV Gitea variable
+    - name: Check if Gitea variable exists
       ansible.builtin.uri:
-        url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/ENV_FILE_DEV"
-        method: PUT
+        url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/{{ gitea_variable_name }}"
+        method: GET
         headers:
-          Authorization: "token {{ _gitea_token.value }}"
+          Authorization: "token {{ gitea_token.token }}"
+        status_code: [200, 404]
+      register: _gitea_var_check
+      no_log: true
+
+    - name: Create Gitea variable
+      ansible.builtin.uri:
+        url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/{{ gitea_variable_name }}"
+        method: POST
+        headers:
+          Authorization: "token {{ gitea_token.token }}"
           Content-Type: application/json
         body_format: json
         body:
-          value: "{{ _env_file_dev }}"
-        status_code: [201, 204]
+          value: "{{ _env_file }}"
+        status_code: [201]
+      when: _gitea_var_check.status == 404
       no_log: true
 
-    - name: Update ENV_FILE_PROD Gitea variable
+    - name: Update Gitea variable
       ansible.builtin.uri:
-        url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/ENV_FILE_PROD"
+        url: "{{ gitea_base_url }}/api/v1/repos/{{ gitea_owner }}/{{ gitea_repo }}/actions/variables/{{ gitea_variable_name }}"
         method: PUT
         headers:
-          Authorization: "token {{ _gitea_token.value }}"
+          Authorization: "token {{ gitea_token.token }}"
           Content-Type: application/json
         body_format: json
         body:
-          value: "{{ _env_file_prod }}"
-        status_code: [201, 204]
+          value: "{{ _env_file }}"
+        status_code: [204]
+      when: _gitea_var_check.status == 200
       no_log: true